Debian Security Advisory
DSA-2480-4 request-tracker3.8 -- several vulnerabilities
- Date Reported:
- 15 Sep 2012
- Affected Packages:
- request-tracker3.8
- Vulnerable:
- Yes
- Security database references:
- In the Debian bugtracking system: Bug 674924, Bug 675369.
In Mitre's CVE dictionary: CVE-2011-2082, CVE-2011-2083, CVE-2011-2084, CVE-2011-2085, CVE-2011-4458, CVE-2011-4459, CVE-2011-4460. - More information:
-
Several vulnerabilities were discovered in Request Tracker, an issue tracking system:
- CVE-2011-2082
The vulnerable-passwords scripts introduced for CVE-2011-0009 failed to correct the password hashes of disabled users.
- CVE-2011-2083
Several cross-site scripting issues have been discovered.
- CVE-2011-2084
Password hashes could be disclosed by privileged users.
- CVE-2011-2085
Several cross-site request forgery vulnerabilities have been found. If this update breaks your setup, you can restore the old behaviour by setting $RestrictReferrer to 0.
- CVE-2011-4458
The code to support variable envelope return paths allowed the execution of arbitrary code.
- CVE-2011-4459
Disabled groups were not fully accounted as disabled.
- CVE-2011-4460
SQL injection vulnerability, only exploitable by privileged users.
Please note that if you run request-tracker3.8 under the Apache web server, you must stop and start Apache manually. The
restart
mechanism is not recommended, especially when using mod_perl.For the stable distribution (squeeze), these problems have been fixed in version 3.8.8-7+squeeze5.
For the unstable distribution (sid), these problems have been fixed in version 4.0.5-3.
We recommend that you upgrade your request-tracker3.8 packages.
- CVE-2011-2082